A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
To better protect the network from hacker attacks, you must have an in-depth and detailed understanding of the hacker's attack methods, attack principles, and attack processes, only in this way can we provide more effective and targeted active protection. The following describes how to detect and defend against hacker attacks by analyzing the characteristics of hacker attack methods.
I. Core Issues of anti-attack technology
The core issue of Anti-attack technology (intrusion detection technology) is how to intercept all network information. Currently, information is obtained through two methods. One is to obtain all network information (packet information, network Traffic Information, network status information, network management information, etc.), which is not only an Inevitable Way for hackers to attack, but also a necessary way to carry out anti-attacks; the other is to analyze the system logs of the operating system and applications to discover intrusion behaviors and potential security vulnerabilities in the system.
Ii. Main Methods of hacker attacks
Hackers can attack networks in a variety of ways. Generally, attacks always use "System Configuration defects ", operating system security vulnerabilities or communication protocol security vulnerabilities. So far, more than 2000 types of attacks have been discovered, and most of them have been addressed accordingly. These attacks can be divided into the following six categories:
1. DoS Attacks:
In general, denial-of-service (DoS) attacks stop some or all of the services of the attacked objects by overloading critical system resources of the attacked objects (usually workstations or important servers. There are hundreds of known denial-of-service attacks, which are the most basic intrusion attack methods and one of the most difficult to deal, typical examples include SYN Flood attacks, Ping Flood attacks, Land attacks, and WinNuke attacks.
2. Unauthorized access attempts:
Attackers attempt to read, write, or execute protected files. They also try to obtain protected access permissions.
3. Pre-Attack Detection:
During a continuous unauthorized access attempt, attackers usually use this attack attempt to obtain information inside and around the network, typical examples include SATAN Scan, port scan, and IP half-path scan.
4. Suspicious Activities:
Activities outside the scope of standard network communication can also be activities that are not expected on the network, such as IP Unknown Protocol and Duplicate IP Address events.
5. Protocol Decoding:
Protocol Decoding can be used in any of the above undesirable methods. The network or security administrator needs to perform decoding and obtain relevant results. The decoded protocol information may indicate the expected activity, such as FTU User and Portmapper Proxy.
6. System proxy Attacks:
This type of attack is usually initiated for a single host, rather than the entire network. It can be monitored through the RealSecure system proxy.
Iii. Characteristics Analysis and anti-attack technology of hacker attacks
The most basic method of intrusion detection is to use pattern matching to discover intrusion attacks. to effectively carry out anti-attack operations, you must first understand the intrusion principles and working mechanisms, this effectively prevents intrusion attacks. Next we will analyze several typical intrusion attacks and propose corresponding countermeasures.
1. Land Attack
Attack type: Land attack is a Denial-of-Service attack.
Attack Characteristics: the source address and target address of the data packet used for Land attacks are the same, because when the operating system receives such data packets, I don't know how to handle the situation where the source address and target address in the stack are the same, or the packet is sent and received cyclically, which consumes a lot of system resources, this may cause system crashes or crashes.
Check Method: Determine whether the source address and target address of the network data packet are the same.
Anti-attack method: Configure _ blank "> firewall devices or filter router filtering rules to prevent such attacks (usually discard this packet ), audits such attacks (recording the event occurrence time, MAC addresses and IP addresses of the source and target hosts ).
2. tcp syn Attack
Attack type: tcp syn attack is a denial of service attack.
Attack Characteristics: it uses the defect of the three-way handshake process between the TCP client and the server. Attackers send a large number of SYN packets to the attacker by forging the source IP address. When the attacked host receives a large number of SYN packets, they need to use a large number of caches to process these connections, the system also sends the syn ack packet back to the wrong IP address and waits for the response from the ACK packet. As a result, the cache is used up and other valid SYN Connections cannot be processed, that is, the system cannot provide external services.
Check Method: Check whether the received SYN connection received within the unit time exceeds the value set by the system.
Anti-attack method: when a large number of SYN packets are received, the notification _ blank "> firewall blocks connection requests or discards these packets and performs system audits.
3. Ping Of Death Attack
Attack type: Ping Of Death is a denial Of service attack.
Attack feature: the attack data packet exceeds 65535 bytes. Some operating systems receive packets of more than 65535 bytes, which may cause memory overflow, system crash, restart, kernel failure, and other consequences.
Check Method: Determine whether the data packet size is greater than 65535 bytes.
Anti-attack method: with the new patch, when a packet larger than 65535 bytes is received, the packet is discarded and audited by the system.
4. WinNuke attack
Attack type: WinNuke attack is a Denial-of-Service attack.
Attack features: WinNuke attacks, also known as out-of-band transmission attacks, feature attack target ports, which are usually 139, 138, 137, 113, and 53, and URG bit is set to "1", that is, emergency mode.
Detection Method: Determine whether the destination port of the data packet is 139, 138, 137, and so on, and determine whether the URG bit is "1 ".
Anti-attack method: Configure _ blank "> firewall devices or filter routers to prevent such attacks (discard this packet) and audit such attacks (record the time when the event occurred, MAC addresses and IP addresses of the source and target hosts ).
5. Teardrop Attack
Attack type: Teardrop is a denial of service attack.
Attack features: Teardrop is an attack method for UDP-based pathological partition data packets, the working principle is to send multiple fragmented IP packets to the attacker (the IP Fragmented Packet includes the packet that the fragmented packet belongs to and its location in the packet ), some operating systems may crash or restart the system when they receive counterfeit part data packets with overlapping offsets.
Detection Method: analyzes the received multipart data packet and calculates whether the Offset of the data packet is incorrect.
Anti-attack method: Add a system patch, discard the packets that receive the diseased fragments, and audit the attacks.
6. TCP/UDP port scanning
Attack type: TCP/UDP port scan is a pre-detection attack.
Attack Characteristics: Send TCP or UDP connection requests to different ports of the attacked host to detect the service type of the attacked object.
Detection Method: Collects external connection requests to system ports, especially connection requests to uncommon ports other than 21, 23, 25, 53, 80, 8000, and 8080.
Anti-attack method: when receiving a connection request from multiple TCP/UDP packets to an abnormal port, the firewall blocks the connection request, the attacker's IP address and MAC address are also audited.
For some complex intrusion attacks (such as distributed attacks and combined attacks), not only the pattern matching method is required, but also the status transfer, network topology and other methods are required for intrusion detection.
Iv. Thoughts on Intrusion Detection Systems
In terms of performance, the contradiction facing the intrusion detection system is the compromise between the system performance and functions, that is, the comprehensive and complex test of data poses a great challenge to the system's real-time requirements.
Technically speaking, the intrusion detection system has some problems that need to be solved, mainly in the following aspects:
1. There are no mature methods and solutions to identify "large-scale combined and distributed intrusion attacks. From the famous ICP attacks such as Yahoo, we have learned that security issues are becoming increasingly prominent, the level of attackers is constantly improving, and the increasingly sophisticated and diverse attack tools are added, as well as increasingly complex attack techniques, intrusion detection systems must constantly track the latest security technologies.
2. the network intrusion detection system detects attack behavior by matching network packets. The intrusion detection system often assumes that the attack information is transmitted in plaintext, therefore, information changes or re-encoding may lead to intrusion detection. Therefore, the string matching method is powerless for encrypted data packets.
3. As network devices become increasingly complex and diversified, intrusion detection systems must be customized to meet more and more environment requirements.
4. There are no objective criteria for evaluating intrusion detection systems. The inconsistent standards make it difficult to interconnect intrusion detection systems. Intrusion detection systems are a new technology. With the development of technologies and the increase in recognition of new attacks, intrusion detection systems must be constantly upgraded to ensure network security.
5. Improper automatic responses can also cause risks to the intrusion detection system. Intrusion Detection Systems can usually work with _ blank "> firewalls. When an intrusion detection system discovers an attack, it filters out all IP packets from attackers, when an attacker impersonates a large number of different IP addresses for simulated attacks, the intrusion detection system automatically configures _ blank "> the firewall filters out the addresses that are not actually under any attack, as a result, a new Denial of Service access occurs.
6. Attacks against IDS. Like other systems, IDS itself also has security vulnerabilities. if an attack is successful against IDS, alarms may fail and intruders will not be able to record their behavior afterwards, therefore, the system should adopt multiple security measures.
7. As the bandwidth of the network increases, there are still many technical difficulties in developing a high-speed network-based detector (event analyzer.
As a critical network security test and prevention system, intrusion detection systems have many aspects worth further research and need to be further improved to provide effective security measures for future network development.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service